Application Security: Q&A From Universe Session

0 Likes
over 1 year ago
Below are the Questions and Answers from the Virtual Universe session:

 

Micro Focus Virtual Universe Q&A – Application Security

Q: What version of webinspect enterprise allows for incremental scanning?

A: Incremental scanning is not currently available in WebInspect Enterprise. It is tentatively targeted for our enterprise scanning platform in 2021.

Q: Is web inspect workflow macro is available for 19.2 version?

A: You can download the Macro Recorder 5.0 from the Fortify Marketplace - https://marketplace.microfocus.com/fortify/content/webinspect-macro-recorder-5. As 20.1 is now available, our recommendation would be to upgrade to 20.1 where not only has the Macro Recorder been upgraded, but also the script engine for auditing purposes.

Q: Susceptibility analysis available for FoD customers?

Will this susceptibility analysis feature also be available for FoD customers? If so, will that only be available for those who are Sonatype customers as well?

A: There will be no up charge for susceptibility analysis. The tools is currently under development with a mid summer target release. We expect an FoD update around that same time, give or take a few weeks. Sonatype OSS scans are available now for purchase through FoD.  Existing Sonatype customers can also BYOL

Q: Are scripts an alternative to using the options in the GUI to set up scans?

To clarify, the scripts are an alternative to using the options in the GUI to set up scans. Correct?

A: this is correct

Q: How long are the online courses in learn.sonatype.com?

A: The time varies across the different courses but the average appears to be around 30-45 mins. 

Q: Videos about using the WI proxy on Fortify Unplugged YouTube channel?

Do you have videos about using the WI proxy on Fortify Unplugged YouTube channel?

A: There aren't currently any Wi Proxy videos available on the youtube fortify unplugged channel.  However there are a couple that may be of interest around automation of WebInspect:

https://www.youtube.com/watch?v=WDhlmxHteEc

https://www.youtube.com/watch?v=WuljR-JDPVs

https://www.youtube.com/watch?v=uUrLPsFEfck

Q: How will Scan Central architecture affect E-DAST?

Do you have any information you can share on the upcoming Scan Central architecture and how that will affect E-DAST?

A: E-DAST has been built as a micro service in-line with SSC's future architecture direction. The "sensors" are obviously different from static (Fortify SCA) to dynamic (WI), but the concept is the same. The same area where static sensors are managed, will also allow you to manage dynamic sensors. Dynamic does not have a need for a "controller" like static analysis requires, since they are not having to extract content from a build server and provide that to a compatible sensor. E-DAST is a first class citizen in SSC and we look forward to it's release this Fall 2020.

Q: Publicly disclosed vulnerability

How accurate is the suspectibility analysis method of determining whether we are vulnerable to a publicly disclosed vulnerability?

A: It is trivial for Fortify SCA to determine whether a method or function has been invoked. Fortify SCA can also with a high degree of accuracy understand whether user controlled reaches a particular function or method. We are very confident in the prototype and as long as the research to determine the vulnerable function or method is valid, the solution should be quite accurate. We do understand that in the future, we may need to add the source of a dependency to the actual transitive model, if we are to understand transient dependencies.

Q: Filtering false positives in Fortify

What is the best way to filter out false positives in fotrtify to ensure they never come up again for the current and all future versions of a project folder. I found a video on fortifyunplugged where this was done via audit workbench. However it appeared it was limited to just that project folder version. Is filtering via AWB the best method? Is there a way to do filtering directly in fortify SSC? I can suppress vulnerabilties but they often re-appear in future scans.

A: Thank you for your question, there are two methods you can use to filter or remove items that are considered false positives.  You can use issue templates or custom rules.

Issue Templates are what is used in Software Security Center, however it is called an Audit Template in Audit Workbench.  There are two types of filters that can be used folder filters or visibility filters. 

Using folder filters you can move an issue from one criticality to another ie..(move a critical issue to the low folder).

Using visibility filters you can hide an issue.

It is easiest to create these filters using Audit Workbench(per the video) and then export the project template.  Once the project template is created, you can upload the template to Software Security Center as an Issue Template.  To use that template on an application, you apply that template in the application profile settings.

Q: Will Sonatype also support GitLab?

A: The tools is designed to work from a terminal. Gitlab typically allows third party tools to run by placing them in a Docker container, and then calling them from their pipeline. The CLI tool that we use to fingerprint issues, will work fine in Gitlab.

Q: Can new dashboards be created in Fortify SSC on-prem and/or can you customize the default dashboard?

A: It is possible today to extract data from SSC using our API to drive custom built dashboards. We have several customers today that currently do this. I would be happy to share the specific endpoints typically used, best practices, etc. In the product itself, we have been working in a branch on a new version of SSC which is a micro-service based architecture and we are currently bringing in ElasticSearch to SSC. That will drive a new dashboard engine with much more flexibility in SSC. Current target is Spring 2021. We will have a tech preview of the new architecture in June (also include Kafka, Docker, etc)

Q: What's the difference between Software Composition Analysis and the SCA tool in Fortify?

A: Fortify SCA stands for Fortify Static Code Analyzer. It was named that about 16ish years ago, before this "SCA" acronym became commonplace to mean Software Composition Analysis. Software Composition Analysis typically refers to the known vulnerability space with regards to open source components. Static Code Analyzer finds weaknesses in proprietary code. 

Q: Unauthorized and authorized scans

Is it possible to configure 2 different scan templates to execute unauthorized & authorized scans in parallel for one application ?

A: Yes in WebInspect Enterprise you can create multiple templates for an application.  You can have one template for Authenticated and one Template for Unauthenticated scans.

Q: Sensitive Data Mgmt - data limitation?

Is there a limit to the amount of data that can be scanned or analyzed with Micro Focus product?

A: For structured data, any JDBC-compliant database can be analyzed – We most frequently analyze Oracle, SQL Server, DB2 and Postgres.  We also use third party connectors,  when we cannot connect directly to the database.  SAP is an example, where we leverage a third party connect to access database.

For un-structured data, we can also analyze content on Fileshares, SharePoint, O365, GDrive, FileNet, Documentum, Hadoop, Notes, Box and other document repositories.  There are several hundred connectors built to collect data from most content management repositories.

Q: Sensitive Data Management - number of grammars

How many grammars are already built to find sensitive data?  And can additional grammars be created?

A: The number of out of the box Grammars is slightly different for structured data versus un-structured repositories.  With that said, there are sever hundred out of the box Grammars and custom Grammars can be added by the customer, Micro Focus partner or team delivering the solution.

Note that some Grammars are created for a specific language or region.  As an example Ship To Address or Phone number will be different in AMS region versus EU countries.

Q: How many different database or repository types can be analyzed with the Micro Focus product?

A: For structured data, any JDBC-compliant database can be analyzed – We most frequently analyze Oracle, SQL Server, DB2 and Postgres.  We also use third party connectors,  when we cannot connect directly to the database.  SAP is an example, where we leverage a third party connect to access database.

For un-structured data, we can also analyze content on Fileshares, SharePoint, O365, GDrive, FileNet, Documentum, Hadoop, Notes, Box and other document repositories.  There are several hundred connectors built to collect data from most content management repositories.

Q: Should you scan 100% of the data or just a sample?

A: Related to the Data Discovery tools discussed in the Sensitive Data Management sessions, you should considered what data elements (we refer to as Grammars) are important for Data Discovery and potentially Privacy.

As it related to sample size, the software has an option to configure Sample Size and/or Percent of data when performing a scan for sensitive data and it's important to review these settings, as it can have an impact on the scanning process.

 

Labels:

Events
How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended